154 Commits

Author SHA1 Message Date
Stanko Krtalić 09d5b8c92f Merge pull request #2756 from basecamp/friendly-error-message-on-duplicate-passkey
Show separate error message when adding a Passkey twice
2026-03-26 14:19:35 +01:00
Stanko K.R. 6107d3cee1 Add margin ot error messages 2026-03-25 18:16:11 +01:00
Stanko K.R. df7c2678f3 Rename create_options to registration_options 2026-03-25 17:26:49 +01:00
Stanko K.R. 8e4f9ce5e7 Cleanup form helpers 2026-03-25 17:26:49 +01:00
Stanko K.R. 4fb1cddb4c Use WebComponents for buttons
This simplifies the loading and cleanup logic, while providing ubiquitous support across JS frameworks. Buttons can now be added in any way imaginable and still work without requiring additional initialization. The upside of this aproach is that it doesn't require a mutation observer nor a global click listener, and is supported by all browsers that also support passkeys.
2026-03-25 17:26:49 +01:00
Stanko K.R. 017bcc9ce1 Polish up Passkey interface
- Fix indentation
- Split awkward initializer into separate methods
- Rename credentials to passkeys
- Simplify authenticator registry loading
- Flatten nested errors under ActionPack::WebAuthn
- Set passkey current params only requests that use it
- Inline anemic methods
- Replace custom validation with ActiveModel::Validation
- Rename identity to holder in Passkey
- Rename credentials to passkeys in JS
- Extract framework library out of controllers
- Pass params hashes down to ActionPack
- Attempt to simplify public interface
- Push data decoding down to the classes representing the data
- Introduce has_passkeys
- Add CBOR bigint support
- Rename ActionPack::WebAuthn::Passkey to ActionPack::Passkey
- Add create_passkey_button helper
- Rename public-key to creation-options
- Add sign_in_with_passkey_button helper
- Dispatch events for the whole Passkey lifecycle
- Add ED25519 support
- Prevent crash on missing meta tag
- Validate resident key options
- Don't clobber existing ActionPack config options
- Validate cryptographic params
- Move CurrentWebAuthnRequest into ActionPack::Passkey
- Use ActiveModel::Attributes for Options objects
- Implement expiring challanges
- Add lifecycle events
- Extract param helpers into Request
- Add passkey_creation_options and passkey_request_options helpers
- Add create_passkey_challenge to make it easier to override the create method if needed
- Prefix all view helpers with passkey_
- Auto-include ActionPack::Passkey::Holder
- Make the passkey challange url configurable
- Add a reminder about Passkeys to the magic link email
2026-03-18 11:51:10 +01:00
Rosa Gutierrez 1c2de6ca79 Clear offline cache on sign-in as well as sign-out
Rename logout controller to clear-offline-cache and attach it to the
magic link verification form so the service worker cache is cleared
when a different user signs in.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 10:20:54 +01:00
Rosa Gutierrez a949f1e3ae Clear offline cache when logging out
Adds a logout Stimulus controller that sends a message to the service
worker to clear all cached content when the user logs out. This ensures
that cached data from one user isn't accessible after logout.

The implementation:
- Adds logout_controller.js that posts { action: "clearCache" } to the
  service worker via postMessage
- Updates logout buttons to use the controller on form submission

Also fixes data-turbo placement: moved from button to form element where
it actually takes effect for disabling Turbo Drive form submissions.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-10 10:20:54 +01:00
Jeremy Daer 723c8180b4 Add JSON response format for full SDK/CLI coverage (#2675)
* Add JSON response format to void-response controller actions

Add respond_to blocks with JSON format to 14 controllers that
previously only rendered HTML or Turbo Stream responses. JSON
callers get head :no_content (or :created/:ok for push
subscriptions, distinguishing new vs existing).

Covers: board involvements, board/account entropies, column
reordering, card readings, card publishing, user roles, user
avatars, account settings, notification settings, join codes
(with 422 error branch), and push subscriptions.

* Add steps index endpoint with JSON view

Add index action to Cards::StepsController so SDK/CLI callers
can list all steps for a card. Reuses the existing _step.json
partial.

* Add JSON views for paginated card list endpoints

Add show.json.jbuilder for stream, not-now, and closed column
endpoints. No controller changes needed — set_page_and_extract_
portion_from and fresh_when already work format-agnostically.

* Add JSON search endpoint with distinct-card pagination

JSON search paginates distinct Card records (via the existing
Card.mentioning scope with .distinct) rather than Search::Record
objects. This ensures page boundaries, Link headers, and counts
reflect unique cards — no short pages from post-pagination dedup.

ID-match searches return a uniform single-element Card[] array
through the same pagination path.

* Add JSON views for settings and configuration endpoints

Add show.json.jbuilder for account settings (name), join codes
(code, usage_count, usage_limit, url, active), and notification
settings (bundle_email_frequency). Tests for show and update
were added in the void-response commit.

* Add JSON response format to data exports

Create returns 201 with export id, status, and created_at so
callers can poll. Show returns any-status exports for JSON (not
just completed) with a download_url when ready, or 404 for
missing/other-user exports.

* Extend access token JSON API

Add index.json and _access_token.json partial for listing tokens.
Add JSON format to destroy. Include id and created_at in the
create response alongside the existing token/description/permission
fields.

* Fix ambiguous precedence warning in export JSON view

* Assert X-Total-Count pagination header in streams JSON test

* Address review feedback

- Guard steps index against HTML requests (redirect to card)
- Normalize created_at to UTC in access token and export JSON
- Add deterministic ordering (.latest) to search JSON pagination

* Return 406 for HTML requests to steps index instead of redirect

* Add wrap_parameters for flat SDK JSON payload compatibility

Five controllers infer the wrong wrapper key from their class
name, so flat JSON bodies like {"role":"admin"} fail with 400.
Add explicit wrap_parameters declarations:

- Users::RolesController → :user
- Notifications::SettingsController → :user_settings
- Account::JoinCodesController → :account_join_code
- Account::SettingsController → :account
- Boards::EntropiesController → :board

Add integration tests that send flat (unwrapped) JSON payloads
for all seven param-bearing endpoints to prove SDK compatibility.

* Address PR review feedback

- Use 201 Created (not 204) for all create actions: publishes, readings,
  left/right positions, push subscriptions
- Simplify push subscription to always return :created (no 200/201 variance)
- Remove superfluous respond_to block from steps#index
- Merge exports#show into single respond_to block
- Move export download_url conditional out of inline args
- Ensure join code active is explicitly boolean
- Remove extra parens from search controller assignment
- Add blank lines between format blocks for readability

* Return JSON bodies on create actions

Create actions for boards, cards, columns, comments, and steps now
render the resource as JSON (via their show views) instead of returning
empty 201 responses with only a Location header. SDKs expect a JSON
body they can deserialize into the created resource.

* Return JSON bodies on reaction create actions

Card and comment reaction creates now render the reaction as JSON
instead of returning empty 201 responses, consistent with the other
resource-creating endpoints.

* Allow access tokens API without account scope

Access tokens are identity-level (not account-scoped), so the
controller needs to work with bearer token auth and no account slug
in the URL. Skip require_account so the bearer token auth path
can proceed.

Also fix involvement test to send params in JSON body (not query
string) to match real SDK usage.
2026-03-09 11:39:49 -07:00
Andy Smith f8815fd914 Merge pull request #2603 from nqst/mobile-nav-menu-no-autofocus
Mobile → Jump menu: Remove input autofocus
2026-03-03 09:37:10 -06:00
Jay Ohms 74eac289ee Improve the structure so users_with_active_accounts is available on identity 2026-02-27 09:17:12 -05:00
Jay Ohms 42900cf170 Only return identity accounts that are active with an active user 2026-02-26 16:45:16 -05:00
Rosa Gutierrez 628a43ef61 Small native API changes: include identity ID, return empty signup completion body
Include identity.id in the my/identity.json response and return an
empty body from the CREATE signup/completions.json endpoint.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 14:34:09 +01:00
Alexander Zaytsev 6099884511 Remove jump menu input autofocus on touch screens 2026-02-24 15:57:42 +01:00
Adrien Maston 904917f648 Up-pin should be Unpin 2026-02-19 16:36:32 +01:00
Denis Švara a75d56d243 Merge branch 'main' into pins-api
* main: (127 commits)
  Align board name start so it doesn't get too big
  Clean up card/events header layout
  Sync email to Stripe when user changes email address (#2432)
  Fix IDOR in webhook activation endpoint (#2431)
  Add card reactions to API docs and reactions_url to card JSON (#2427)
  Remove unnecessary claude plan
  Allow boosts on cards (#2411)
  Revert "Fix notification click URL by using correct data property"
  Add migration to remove draft cards from search index
  Guard search indexing with searchable? check
  Forbid comments on draft cards
  prefactor: update search to use published cards
  Fix notification click URL by using correct data property
  Wait for service worker to be active before subscribing
  Fix stuck state when permission granted but no subscription
  Extract Card::Commentable
  Include arm64 build in Docker workflow
  Remove unnecessary `await` in push handler
  Correctly initialise WebPush connection (#2417)
  Update models, views, and fixtures for polymorphic reactions
  ...
2026-01-27 15:37:47 +01:00
Denis Švara e82dc08f6c Add JSON support for GET /my/pins with no pagination and tests. 2026-01-14 17:43:16 +01:00
Jay Ohms 3cada3ce82 Merge branch 'main' into mobile/bridge-components
* main:
  Add rollback script to convert relative URLs back to absolute
  Add a script to migrate existing rich texts to relative URLs
  Use relative URLs where possible across all the app
  Use relative URLs for avatars and rich text attachments
2026-01-14 09:39:08 -05:00
Rosa Gutierrez 527ffc42b9 Use relative URLs where possible across all the app
Skipping API responses, where we need absolute URLs, and those that are
intended for sharing or external use:

- account/join_codes/show.html.erb - Join code URL for sharing
- boards/edit/_publication.html.erb - Publication URL for sharing
- public/* views - Public page URLs and og:url meta tags
- pwa/manifest.json.erb - PWA manifest needs absolute URLs

For this, we had to replace `url_for` used with Active Storage variants
and previews with the specific path helper (for Active Storage
representations).
2026-01-14 11:01:42 +01:00
Adrien Maston 3b97b2e5c8 Merge branch 'main' into mobile/bridge-components
* main: (22 commits)
  Disable card column buttons when active
  Prevent comment content from overlapping with reaction button
  Delete pins belonging to cards in a board with revoked access
  Update development dependencies in SAAS lockfile
  Update runtime dependencies
  Update development dependencies
  Balance magic link instructions
  Add `.txt-balance` utility
  Move handleDesktop inside restoreColumnsDisablingTransitions
  Adjust border radius
  Clean up blank slates
  Add dialog manager to events page
  More sturated mini bubbles in light mode
  Brighten mini bubbles in dark mode
  Use separate cache namespaces for each beta instance
  Bump boost size up a tick on mobile
  Move Undo form inside closure message element
  Phrasing tweak for exceeding storage limit
  Keep strong tags words on same line
  Allow ActionText embed reuse and safe purge (#2346)
  ...
2026-01-14 10:34:13 +01:00
Denis Švara 4f7cec3b71 Rename bride page controller to title controller and remove text size related code. 2026-01-13 09:36:24 +01:00
Andy Smith 64fdbf6b8f Clean up blank slates 2026-01-12 15:37:06 -06:00
Jay Ohms d5fef48e42 Merge branch 'main' into mobile/bridge-components
* main:
  Consolidate footer text into a shared partial
  Tweak comment history button on mobile
  Transparent lexxy toolbar when inside a golden card
  Add rel noopener to external links
2026-01-09 14:42:22 -05:00
Andy Smith 509f0ca305 Consolidate footer text into a shared partial 2026-01-09 11:57:45 -06:00
Andrii Furmanets a84530a97f Add rel noopener to external links 2026-01-07 21:52:20 +02:00
Denis Švara ecf0921af9 Add bridge page targets. 2026-01-06 16:03:28 +01:00
Jay Ohms e379721c2f Merge branch 'main' into mobile-app/prepare-webviews
* main: (107 commits)
  Document the new sign in method
  Replace handle_ naming
  Use same constant for fake magic links
  Replace FakeMagicLink with a temporary object
  Tidy up session_token
  Clean up interfaces
  Split tests by controller or responsibility
  Simplify auth logic
  Fix due to unit test when creating with invalid emails
  Restore sessions_controller test on creating invalid email address
  Move magic link api tests to their own files
  Rename test to clarify what they're about
  Cleanup session creation
  Update to always return a pending auth token for JSON responses.
  Update API test for cross code
  Change test expectation on single tenant mode account creation
  Add unit tests for the new endpoints
  Pass a server token when creating a magic link via API
  Simplify code a bit
  Simplify session create logic for both html and json
  ...
2025-12-19 13:52:04 -05:00
Adrien Maston 573ffe0ee4 Add titles to pins and search permas 2025-12-19 15:44:36 +01:00
Jorge Manrubia 33fc239571 Merge pull request #2140 from dilberryhoundog/fix-stale-account-cache
Fix: resolve stale account names in jump menu and page titles
2025-12-19 11:26:23 +01:00
Andy Smith 1a01aa0a69 Fizzy menu a11y 2025-12-17 11:12:38 -06:00
Adrien Maston 86ec2959fb Move pins perma panel out of turbo frame 2025-12-17 12:55:58 +01:00
Adrien Maston 92e63d80cc Make my/pins perma mobile-friendly 2025-12-17 12:30:08 +01:00
Adrien Maston 0f26baee09 Hide elements
Menu, back buttons, bottom bar
2025-12-17 10:45:24 +01:00
Kevin McConnell 741eff7bdc Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
This reverts commit c628f14c01, reversing
changes made to 4bafc73236.
2025-12-15 13:07:13 +00:00
Dylan f01a648441 🐛 fix: resolve stale account names in jump menu and page titles
Add account data to fresh_when etag arrays so Rails serves fresh responses after account changes.

- Add @accounts to menus controller etag

- Add Current.account to boards controller etag

- Add ETag cache invalidation tests for both controllers
2025-12-15 15:59:25 +08:00
Kevin McConnell eec96ff384 Serve own avatar from its own endpoint
This allows us to have different cache controls depending on whether
you're viewing your own avatar, or someone else's. Your own avatar will
always be fresh, while other folks' avatars can be pulled from the CDN.
2025-12-12 09:03:35 +00:00
Stanko K.R. 3257e4a6e9 Inline partials 2025-12-10 15:27:56 +01:00
Stanko K.R. 5ce71bf941 Move Identities to My::Identities 2025-12-10 15:13:35 +01:00
Jason Zimdars d82093c0cd Complete the view transition loop 2025-12-10 09:23:52 +01:00
Jason Zimdars fa2eb06992 Design show view 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson d36be764e2 Awaiting JZ's design 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 96b62d6ec4 Only allow new token to be viewed within 10 seconds 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 88902485e1 Access tokens are strictly personal 2025-12-10 09:23:52 +01:00
Andy Smith 6074ed2347 Add blank slate to the main menu 2025-12-09 15:56:10 -06:00
Jason Zimdars e32ec6f5e9 Rename 2025-12-01 16:29:32 -06:00
Jason Zimdars b2feab1e60 Introduce a means to hide sections for filtering only 2025-12-01 16:21:35 -06:00
Jason Zimdars e4fb0e8314 Add static quick filters 2025-12-01 16:01:24 -06:00
Jason Zimdars 86332e3a2f Remove custom views UI 2025-12-01 16:00:42 -06:00
Andy Smith 48b70d175a Move card title margins to perma CSS 2025-12-01 15:40:28 -06:00
Jorge Manrubia 5e23e6c3d3 Prevent Fizzy menu from closing on page refreshes
https://app.fizzy.do/5986089/cards/3190
2025-11-27 07:07:27 +01:00